Custom SaaS Connector: Delta Aggregation for Accounts and Entitlements

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

I am building a custom Saas connector with these configs-

{
  "name": "custom-rest-aggregation",
  "supportsStatefulCommands": true,
  "commands": [
    "std:account:list",
    "std:account:read",
    "std:entitlement:list",
    "std:entitlement:read",
    "std:test-connection"
  ]
}

Official delta reference:

Use cases I want to support:

  • Full Account Aggregation
  • Delta Account Aggregation
  • Full Different type of Entitlement Aggregation
  • Delta Different type of Entitlement Aggregation
    • Group
    • Role

My understanding:

  • Full aggregation uses the same list command with:\ 
    • {
  "stateful": false
}
  • Delta aggregation uses: 
    • {
  "stateful": true,
  "state": {
    "highWaterMark": "previous-value"
  }
}
  • Account aggregation uses: std:account:list
  • Entitlement aggregation uses: std:entitlement:list
    • with type 
      • {
  "type": "group"
}
or:
{
  "type": "role"
}

Expected behavior:

  • Full aggregation returns all records
    • All Records are aggregated in the Source [Account or Entitlement]
  • Delta aggregation returns only created/modified/deleted records.
    • Updates only the specific record in the ISC Account/Entitlement after aggregation, no change for other records
  • Deleted records are returned with: 
    • {
  "id": "record-id",
  "deleted": true
}
    • This record should be deleted from ISC [Account/ Entitlement]

Current behavior:

  • Only Full Aggregation is being triggered [For Both: Account and Entitlement]

Question:

  • If any of the features are not supported by ISC in the custom connector

  • Is this the correct approach for enabling full and delta aggregation for accounts, groups, and roles

  • Configuration pattern
    *

    image
    image1140×654 24.6 KB

  • How will different operations be triggered from the ISC UI
    *

  • image
    image1677×842 31.3 KB

2

Hello @shsakshi ,

I believe your configuration is correct without seeing the connector-spec and the methods themselves. I would ensure that you are specifying the connector-spec configuration item with the key spConnEnableStatefulCommands. In addition, ensure you are calling the saveState before closing out your account list method.

Per my knowledge, the current SAAS Connector framework does not support handling of deleted/removed accounts during a delta aggregation, only during a full aggregation when the records no longer appear.

Similar to other OOB sources, the delta aggregation is a flag set on the configuration and once enabled, all aggregations will flow through the delta configuration.

When defining the code logic, it is important to ensure that you return all accounts when the stateful information is not available and ensures a proper state saving.

After you have run the aggregation with delta enabled, you can check the source’s connectorAttributes to see the state which was saved (get-source | SailPoint Developer Community). This may help indicate where a problem may be occurring.

3

Hello @bcariaga

Thanks for the clarification.

If the SaaS Connector framework does not support deleted accounts/entitlements during delta aggregation, would a VA Connector support this?

Our required use cases are:

  • Full account aggregation: create and delete
  • Delta account aggregation: create, modify, and delete
  • Full entitlement aggregation: create and delete
  • Delta entitlement aggregation: create, modify, and delete

Entitlement types needed:

  • Group
  • Role

Can someone confirm whether SaaS Connector supports deleted: true account and entitlement delta aggregation?

If not, is VA Connector the recommended approach for these requirements?

4

I tested the custom SaaS connector aggregation scenarios.

Working:

  • Account Full Aggregation: worked
  • Account Delta Aggregation: worked for Create, Modify, and Delete
  • Entitlement Full Aggregation: worked for all entitlement types:
    • Group
    • Role
    • Profile

Not Working:

  • Entitlement Delta Aggregation:
    • Group: not working
    • Role: not working
    • Profile: not working

The connector spec has stateful commands enabled

"supportsStatefulCommands": true

The source config also has delta/stateful enabled:

"spConnEnableStatefulCommands": true

The SailPoint docs for std:entitlement:list mention Delta Aggregation / State using supportsStatefulCommands, spConnEnableStatefulCommands, res.saveState(state), input.stateful, and input.state.
Documentation: Entitlement List | SailPoint Developer Community

The connector is following the documented entitlement stateful pattern from SailPoint’s docs:

-- connector-spec.json:

"supportsStatefulCommands": true

{
  "key": "spConnEnableStatefulCommands",
  "label": "Enable Delta Aggregation",
  "required": true,
  "type": "checkbox"
}


-- src/index.ts saves state for entitlement aggregation:

const state = restClient.newState()
...
res.saveState(state)


-- src/my-client.ts handles entitlement input.stateful + input.state by selecting the delta path only when both are present:

const path = this.pathForState(listPath, deltaPath, state, stateful)

However, when I trigger Entitlement Aggregation from the ISC UI, ISC is invoking a full entitlement aggregation.

Observation:

  • Account delta works as expected after a full account aggregation, including Create, Modify, and Delete.
  • The issue appears specific to entitlement aggregation. When triggered from the ISC UI, entitlement aggregation is still calling std:entitlement:list as full aggregation, not with input.stateful=true.

Question:

  • Can anyone confirm whether entitlement delta is supported for custom SaaS connectors, and if yes, how to trigger delta for Group, Role, and Profile?